# Level 2: Unauthorised Authenticated Access

### <mark style="color:purple;">Task</mark>

The next level is fairly similar, with a slight twist. You're going to need your own AWS account for this. You just need the [free tier](https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free_np/).

### <mark style="color:purple;">Resolution</mark>

1. **Creating an AWS Account:**

The first step is to create an AWS account. Go to [AWS](https://aws.amazon.com/free/) and create a user.

Once the account is created, install the AWS CLI by running:

```bash
sudo apt install awscli
```

This will install the AWS CLI to interact with AWS services from your terminal.

2. **Obtaining AWS Access Key ID and AWS Secret Access Key:**

To get the credentials, go to the AWS Console and search for **'IAM'**.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfVh-HWbI4wTTVqcPzMzONNmIRVXcQPywJwaVFV2kXrdv--PDNeqG8OhXIyUGRG3QOeHt5j-k5Ms-iPaCbleVTHNmEf_D_rwmFzzsL9Eu6gO7v0KdQ6rv3iLjuxKHQHGwjgOf6IdA?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

On the left sidebar, navigate to **Users > Create User**.

![](https://lh7-rt.googleusercontent.com/docsz/AD_4nXfYOUQlhxRHu4dQCaN2f6wrCpy0jO8GOZ30H2B0QJBIFiadNoOTO0vpJVCLMXZj1j1TLiQ-oejKNTNZ7-NMKVboVinCxXzWX64bzUU7tQJkwdS4k_u7sgSNlbJzCXb57TvwWeF3UA?key=yZvDq_-uDN4B0M8iByv7S1s4)![](https://lh7-rt.googleusercontent.com/docsz/AD_4nXd8S0URdFOQ8eFlwmvqVL4qXH_119mQY2-ZYwt66S6YRyTKaZHBKHvTqlnT8Ydney40MU3p7UmzgQjmHr0I_qbU9bAA6jM8Vznypslzjwr8WCk9H8ET5h0eZSPVdPJqvZ6hzps_?key=yZvDq_-uDN4B0M8iByv7S1s4)

Fill in the required details.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdvV85rVmIl1fysEZyEAySUTWY-BRBrzS2J1mpsTAPdLLecfPr2pjWtYcQqjsgpPvgnFIkidPhJl9s51XcajrRSbeinyMLsbxvz3eNi7C8frWtnZPYNDWZ3ofb25K0wveKCSBob?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXd447PwEQgIHWMHjNdBT65jI0vqB4SikxmEcn7A_w_pdAQfnLC2rFhfHAHJICyAUMDyFuHzk-lXvXQKn2kuJD1B9IuLwhbEBRc8q8mJ-lNqc5bixZNYUqfwwLBpq-MuSDqoHfns-Q?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXf2u-r6D_eo4SEkr9-DRom_Mdn7DIxeu9lFTikeWnDcdHVdjvPTLsHNKvOJ5a-o0O4k15iIu0kZZ-SX1zzWSs0E-Pj9osKAQO_qgP22_ByWPb39Y0yjdDG72zJ5pUzJNlLlxbUJ?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

Once the user is created, go back to the user's page and create the access keys.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcfy8YwpN_Nsejv9wycCrF0Althty4TQ2g81ukXxajQMZJPNtrVisQKTUn98vsoYMuBp2xS_N1gP4mSKqbCco1EdCu2fINxL8GoT1MMy_BilFnLHxUAFX1vrtBPbCLBsOHc-s71pQ?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcTDyNjxb7HDMd7Jm3nVckIO47DH6TflWZit6nAOfaqocGN-nK7glfL4c5sUQUpSI6oEE2N8VTr3t9MENTHiOJ8G4vLTxhPhLduRYcu1yHg1G_mjrAGuteYmy1hi89ddEEHh0pN?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXd_d_afEYCIgkCXUQl5mExw4n7ARKsJwhilI3IeSNZqLYOkFuDIdC1QnjQvQI_kmGblUb3rDDk13BwNsHLcvi11hc4F5OSJXi-Y8Ef3tK0j3UXoGdYDhna9xbfEMBhmXUqz7SjFsw?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

3. **Configuring AWS CLI:**\
   With the keys obtained, run the following command in your terminal:

```bash
aws configure
```

You will be prompted to input:

* **Access Key ID** -> Public key
* **Secret Access Key** -> Secret key
* **Default region name** -> us-east-1
* **Default output format** -> json

To verify if the configuration is correct, run:

```bash
aws s3 ls
```

If it returns an empty result, the configuration is correct.

4. **Finding the Flag:**\
   Now that everything is set up, we are ready to find our flag.

As we saw, `aws s3 ls` lists a bucket, but we need to specify our user profile. For that, we use `--profile default`. The command would look like this:

```bash
aws s3 --profile default ls s3://<url>.flaws.cloud
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeCd2JyJqU1M2UmQdkH0ixi8kdWZD-gs0gbHI3xEz8dSe1tNHPAlQ2orI8sQavOSFZlWXp-8C4K32Koc1T7rJQLxD_Z_1OjAMeQjtKGM4nfwUeGqp5tss67e31XRB7sues-TVikNQ?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

And if we visit the secret URL:

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXf6MjI79WuNP8GePt8Gw4_m5fbqUzaRqCWOMAj_ohQ5QaZaxikgalMqxixkK6MsvlW5xzLk7Tl6R0iWaZoDaLDfbIOnmfxZFa6em4ly5UblNnXLBgYBXPgwgjyBijQaKGYoe_NqUA?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

### <mark style="color:purple;">Lesson Learned</mark>

Similar to opening permissions to "Everyone", people accidentally open permissions to "Any Authenticated AWS User". They might mistakenly think this will only be users of their account, when in fact it means anyone that has an AWS account.

### <mark style="color:purple;">Examples of this problem</mark>

* Open permissions for authenticated AWS user on Shopify ([link](https://hackerone.com/reports/98819))

### <mark style="color:purple;">Avoiding the mistake</mark>

Only open permissions to specific AWS users.

<figure><img src="https://657071395-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6TULCIQYFngHxc4snxrs%2Fuploads%2FYDCCf6JaYx8BpnfIzRRk%2Fimage.png?alt=media&#x26;token=c96fbd27-e9fc-44e5-9d73-4d2838407db6" alt=""><figcaption></figcaption></figure>

This screenshot is from the webconsole in 2017. This setting can no longer be set in the webconsole, but the SDK and third-party tools sometimes allow it.